A combination of policy, collaboration and education should be the first steps to BYOD

A bring-your-own-device (BYOD) policy can be implemented when policy, education and technology are aligned and when the business is prepared.

At a debate this week following the publication of the Juniper Trusted Mobility Index, it was claimed that a BYOD policy should depend firstly on the business, and collaboration and education need to play a part.

Nushin Hernandez, analyst at Canalys, said that to enable a BYOD policy, businesses should take a holistic view to enterprise security and compliance and need a content-based policy that is user-, device-, location- and application-aware.

“You can add security to protect the intellectual property on the device, and that is important in terms of identity and access management and in terms of appropriation of applications,” she said.

“A holistic view will cover mobile device management (MDM), mobile and network security, and ensure that what enters the perimeter, and connections between devices, are secure.”

John Smith, ICT network manager at Settle College, said he had implemented a BYOD policy for his sixth-form students so they are able to use, and learn from, new technology.

“With security covered, you can track the device down and know what it has accessed, and we have had no issues at all; we understand the analogy and our students say it helps them feel like young adults rather than kids,” he said.

“With BYOD, you have got to have it there; our students enjoy it and parents report a good experience of it.”

Asked if he felt that BYOD was a complicated process to roll out, he said Settle's was led by the ICT manager, who requested the policy be implemented.

“It has taken a couple of years to get there – some parents still believe, after the wireless scares from a few years ago, that radio waves will turn their kids into bug-eyed monsters. Our latest project is on biometrics and they are taking to it quite well,” he said.

“Work together is what I say; we are seen as the flagship school and I contribute to the EduGeek website. Other schools have come to see what we are doing. I won't say ours is perfect but it works for Settle College.”

Paul Gainham, senior director of solutions EMEA at Juniper, said companies must first determine their approach and implement as appropriate.

He said: “Define your approach, define your policy and choose the right direction for you and technologies. If you are working in a sensitive industry, say the Ministry of Defence, it may be that your policy is ‘no way will we support any non-approved devices' and if people breach that, then they are fired.

“On the other hand, there is the more proactive and embracing approach; the challenging one is in the middle, where they are denying that it is happening. The evidence is in their face, it is happening and people are doing this. A hard policy is a dangerous place to be as that is fertile ground for all the breaches and challenges.”

At a recent roundtable, Captain Simon Wise, deputy head of service operations at the global operations security control centre at the MoD, said it does not allow BYOD. Commenting on this, Gainham said: “That is perfectly reasonable, it is impossible to stop people doing unnatural things, but you make it harder for them and for me; having a prohibitive and restrictive policy is not the right approach and a more embracing and open one is better.”

A survey released this week by Juniper found that almost two-thirds (65 per cent) of businesses believe employees are not accessing corporate data on personal devices, when in fact 42 per cent are doing so without permission.

SC Media UK arms cyber-security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.